That’s why two-factor authentication has exploded in popularity over the last decade. A single password is too brittle for true security, and adding a second layer of defense will keep your accounts better secured.

But two-factor authentication isn’t perfect. In fact, it can come around to bite you in the rear if you aren’t careful. Here are a few overlooked downsides.

Types of Authentication Factors

Multi-factor authentication is a practice that requires you to present multiple bits of evidence (“factors”) that each authenticate your identity. If you don’t have all the authentication factors, then the system won’t grant you access to your account.

There are all kinds of authentication factors that can be used as part of a multi-factor system, but they all tend to fall into three broad groups:

Knowledge factor (“something you know”): The system accepts you if you show that you know a certain bit of information. Examples include PINs, answers to security questions, tax return details, etc.

Possession factor (“something you have”): The system accepts you if you can prove that you have a certain physical device on you. Examples include SMS codes, auth apps, USB keys, wireless tags, card readers, etc.

Inherence factor (“something you are”): The system accepts you through the use of a biometric comparison. Examples include fingerprint scanners, retina scanners, voice recognition, etc.

These all sound good at a glance. But you may have already spotted some of the issues that could arise while using these for identity verification.

1. Factors Can Be Lost

The simple truth is, there is no guarantee that your authentication factors will be available when you need them. Most of the time they will, but it only takes one mistake to lock you out of your accounts.

Imagine you have SMS codes as your second authentication factor. It works just fine for day-to-day checking of bank accounts and what not, but then you’re hit with a massive hurricane and left without electricity for days or weeks.

Victims of Hurricanes Harvey and Irma found themselves locked out of their own accounts. Why? Because they had no way to charge their phones. No phones equals no authentication. No authentication equals no access.

While account recovery is often possible, it can take time and is likely to be a huge headache. If you have dozens of accounts protected with a single factor and you lose that factor, then you need to recover all of those accounts. Yikes.

2. False Sense of Security

While two-factor authentication does provide added security, the degree of this extra security is often exaggerated. Some people may even tell you that a two-factor-protected account is nigh unhackable, but that’s simply untrue.

Two-factor authentication is far from perfect.

Take recovery, for example. If you get locked out of a service because you lost a factor, aren’t you essentially in the same position as a hacker trying to gain access to your account? If you can reset account access without a factor, then you can be sure that hackers can do the same thing too.

In fact, account recovery options often make two-factor authentication pointless, which is why companies like Apple have moved away from most recovery methods. The bad news? Without recovery options, your account can be permanently lost.

And then there are services that offer two-factor authentication but don’t fully commit to it, which puts account security out of your hands. For example, PayPal provides a second factor called “PayPal Security Key,” but back in 2014, as documented by Ian Dunn, it could be completely bypassed with zero effort.

All of this simply means: you can do everything right with two-factor authentication and still have your account compromised. Whatever sense of security it brings is a delusion.

3. It Can Be Turned Against You

Although two-factor authentication is meant to keep hackers out of your accounts, the reverse can happen as well: hackers may set up or reconfigure two-factor authentication to keep you out of your own accounts.

You can read about a Redditor’s first-hand experience with this: a hacker broke into his Apple account, rang up hundreds of dollars in purchases, then tied two-factor authentication with one of the hacker’s own devices. Despite being the account’s true owner, the Redditor could do nothing about it.

So in a sense, while two-factor authentication may not be effective enough at securing accounts (which we explored in Risk #2), it can be too effective.

As services continue to strengthen their two-factor protocols and make account recovery even more difficult, it becomes increasingly imperative that you set up two-factor authentication on your important accounts.

Do it now before a hacker does it for you.

What Do You Think?

Another big downside to two-factor authentication is the inconvenience of it. It’s only an added step, but when you’re logging into accounts on a weekly or daily basis, those extra steps add up. I think the inconvenience is worth it.

It would be easy to point at these risks and downsides as excuses to forgo two-factor authentication altogether, but I say keep using it (or start using it if you haven’t already). Just be aware of how it might backfire, and take the appropriate steps to avoid such issues.

Do you use two-factor authentication? Whether yes or no, tell us why in the comments below! And if you have any other risks to consider, share those too!

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Thaddeus Avery

April 7, 2018 at 6:35 pm

I've come to loathe 2FA. I've used it for most of my accounts since school and before it was even popular. In all these years, the only thing it's ever done for me is cause headaches. I'm constantly being locked out of my own accounts after major updates or when I switch phone carriers or change phone #s and forget to update whomever I have 2FA with.

And it's true that you can forget your device and therefore be locked out of accounts. I have two phones--a personal and work phone. I traveled to China with my work phone & subsequently for SIX MONTHS was locked out of most of my personal accounts b/c 2FA was enabled back home in the States on my personal phone. I've now disabled 2FA on my personal phone accounts and the phone itself and use 2FA only for my banking accounts and cloud storage--in which case I've switched from my phone as a unique 2FA device to either email or universally downloadable apps like Google Authenticator (which I can download to ANY cell phone to get a valid key).

While I understand how two-factor authentication can be useful, I also see just as many risks with it, one of which was not mentioned in this article. That being the very real possibility that your phone is lost and/or stolen.

In this scenario, all's a thief has to do is bypass the boot protocols of your phone to get past the main security screen, which is possible on many models. Once they do that, it's easy pickings for any capable hacker to just start perusing your personal information on your phone---which puts them in a perfect position to gain access via two-factor authentication.

This should be concerning to anyone with a phone, because, lets face it, in today's society, times are tough, making criminals even more desperate and determined to find a way to infiltrate and exploit. This also makes things like the black-market even more appealing to would-be passersby, whom might not initially have criminal inclinations, however, with the thought that one could make a fast buck from selling a found phone, that really puts things into perspective.

Consider this too, most average users, while likely aware of the necessity to implement security software on their phones, also tend to lack the full knowledge required to properly configure such security, and in many cases, are often left still quite vulnerable because of it.

For example, you might have a security application on your phone which has anti-theft protection, however, many of these applications require the user to go through a series of sometimes complicated steps with vague instruction provided, in order to set up the anti-theft protection feature.

Some give up because they're discouraged by this. Others, think they've done everything right, but because of the software-producers lack of attention to the fact that their instruction-set is far too technically-worded for the average user to understand, these particular users usually end up overlooking or misunderstanding something.

Then of course, you got the other problem of the fact that every phone manufacturer has a different time-table for releasing the most current OS updates. This can also cause problems for the software applications being used on the phone.

In my opinion, there are just far too many variables that could go wrong for the average end-user with sparse Security and OS software knowledge, to be able to put their implicit trust in something as trivial as two-factor authentication can be.

And this problem is made worse by the simple fact that software vendors have historically snubbed the average end users over this particular issue, and rather than making it a main priority of application development, to actually include Clear and Concise instructions and help files, the vendors would rather balk at the issue and pretend that its of little or no consequence.

This is akin to the super-geek calling the naive customer naive, while at the same time never once throwing them a bone, for the sake of their own selfish pride. Granted, not everyone in IT is like this, however, it is a problem and to a larger extent, a mind-set that still carries to the software vendor market, including that of security software. Add to that the growing lack of full customer support and interaction between these vendors and end users, and well, therein lies quite a disparity, to say the least.

Suffice to say, there's more to it than meets the eye, and in this case, there's still much more not being mentioned here that people in general should still definitely pay more than the usual attention to.

All the high-tech biometric gadgets and smart-home devices may be full of convenient features, but they are also rife with many security flaws too. If your phone gets stolen, well, maybe you have a chance at getting it back, but if you lose your phone, that becomes far less likely. Unless you have one of those lo-jack-style applications tied to your phone, you can pretty much kiss it good-bye, along with any two-factor authentication you once enjoyed on it.

Remember this too, thieves are very clever and if they've already worked on gaining access to your account via a single factor, such as using your (PII), once they have access to the phone you use for two-factor authentication, it's all over. All they need to do is contact the institution with your credentials and now they've assumed your identity without even breaking a sweat.

Much like cloud-computing, two-factor authentication can definitely provide a false sense of security, and in all fairness, one that is also lacking many safeguards.

One of the most important pieces of advise I can give is to be scrupulous and don't bank on your phone, literally or figuratively-------Just be smart about the times when you do go online and and stop sharing all your information with everyone. Also, you don't have to sign up for every account registration that presents that opportunity to you. The point being-------the more of your personal information you share online, the more of you there is on the net to compromise!

2TF is useful on making sure that others aren't accessing your account from another location and it would be nice to limit your login to certain IP: so that it hackers need to infiltrate your network in order to get begin hacking your device.

I've never used 2FA and I doubt I ever will. I travel all over the world. Last thing I want is to have my phone / wallet stolen and then get locked out of my important online accounts!

I think the risk of NOT using 2FA is pretty minimal. Think about it -- ALL bank and email websites (and their apps) this day and age feature HTTPS encryption starting right from their log in page -- so no one can tell what they are just from sniffing public WiFi's. Guard your ID's and passwords carefully -- never reuse them on multiple sites -- and you should be pretty OK.